A breach isn’t just loss of data. It’s loss of time, loss of money, and loss of reputation. What happens when you have unauthorized access to protected health information?

1. Breach Investigation

An external organization must investigate the breach to identify the cause and ensure that unauthorized access to PHI has been blocked.

2. Remediation

A data breach places a considerable administrative burden on healthcare providers.  Staff must issue notifications, update websites, field customer queries, and implement new safeguards.

3. Temporary Operational Changes

All the safeguards that should have been installed to prevent a breach must now be implemented, under the close scrutiny of the Office for Civil Rights.

4. Breach Notification Letters

Breach notification letters must be issued to all affected individuals by first class postage ($.49).  Subsequent notifications may need to be sent with updated information.

5. Identity Theft Prevention

HIPAA requires covered entities to provide free credit protection monitoring and identity theft protection to all breach victims. The current cost is estimated to be $10 per individual, per month. These services must be offered for 1 to 2 years.

6. Regulatory Fines / Office for Civil Rights

The Office for Civil Rights issues financial penalties for HIPAA violations up to a maximum of $1.5M per year, per violation category. The highest fine issued to date was $16M for the Anthem breach of almost 79 million individuals.

7. Regulatory Fines / Attorney General’s Office

Attorney General’s Offices assist the OCR in policing HIPAA Privacy and Security rules. State AG offices are issuing fines for HIPAA breaches at a state level up to $25,000 per violation category.

8. Lost Business / Loss of Reputation

Providers can expect a churn rate of 5-6% following a data breach, while 65% of consumers would consider switching providers following a major HIPAA data breach.

9. Class Action Lawsuits

Anthem had 3 class action lawsuits filed in the first 24 hours after the breach.  Class action lawsuits usually claim damages of $1,000 per victim. Negligence claims may also be filed against healthcare providers for exposing PHI.

10. Website / Helpline for Breach Victims

HIPAA requires covered entities to publish information on a company or dedicated website as well as provide victims with a free telephone number to allow them to obtain further information.

For more information on how your organization can avoid a costly HIPAA data breach contact us at info@nexa1.com

Sources:  Ponemon Institute; Transunion; CFO.com; HHS.gov

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest blog posts, news, and updates from our team.

You have Successfully Subscribed!